Knowledge Base article 925336 had originally documented instructions using the Local Security Policy UI to work around this issue based on my previous blog post. While both Windows XP and Windows Server 2003 are theoretically susceptible to this issue, to date it’s only been observed on Windows Server 2003 – particularly on machines in an Active Directory domain.

Investigations showed that when there’s a conflict with domain policy, the UI instructions I documented won’t set the registry value that SAFER – the software restriction policy API introduced in Windows XP – uses to determine whether to validate all files.

To reliably workaround this issue, you should follow the instructions below. It is highly recommended that you remove your machine from any domain while installing Visual Studio 2005 Service Pack 1 if you’ve encountered this problem. Otherwise a domain policy refresh could override the registry value during installation and block the installation.

Leave your domain if belong to a domain and reboot

Set the DWORD registry value PolicyScope to 1 in the HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsSaferCodeIdentifiers registry key

rem Replace the name of the patch below according to which patch you downloadedrem This exmple silently installs the patch with verbose logging enabledstart /wait VS80sp1-KB926601-X86-ENU.exe /L*v+ “%TMP%VS80sp1-KB926601-X86-ENU.log” /quiet

Glad it helped, Toad. Funny thing is that I created the basis for the KB article in a previous blog entry and reviewed the KB before it was publishd. At the time, no testing uncovered the problems exhibited with domain machines because our domains didn’t have an active policy set, so the local override was effective.

John, you can delete the $PatchCache$ directory anytime but your patch uninstall and binary delta patching scenarios will require original source for any products for which you deleted the baseline cache.

Removing from the domain – or even unplugging the network cable – is just a precaution to avoid the situation where, in the middle of the installation (specifically inbetween periods when Windows Installer calls into SAFER), a domain policy overrides your local settings.